Interview with the Vista Pwn2Own contest winners

Interview with the Vista Pwn2Own contest winners

Summary: Our coverage of the Pwn2Own contest has received a lot of attention, so I thought it would make sense to go straight to the source of the Adobe Flash exploit to get some first-hand accounts of what went down.

SHARE:

Update 04/03/2008: I've updated the article as apparently the link to k2's blog was broken.  Also, it's important to note that Derek Callaway was a part of this research and exploitation as well, and I neglected to mention that.

So obviously our coverage of the Pwn2Own contest has received a lot of attention (see: MacBook Air falls in two minutes at PWN 2 OWN; Vista falls in Pwn2Own contests final day to a flaw in Adobe Flash; More details on the Pwn2Own Flash flaw that won the Vista machine; and Pwn2Own: What OS really won?) in the talkbacks and there have been some very heated debates over a few sticking points, especially in the discussion of the Flash flaw which compromised Vista. It's been outstanding and I thank everyone who was involved in these discussions, especially n0neXn0ne and OButterball, who I personally had very long and detailed debates with.

Here's a list of what the key issues debated on were:

  1. Who won (or who lost, depending on who's answering the question) the Pwn2Own contest? To be clear, when I say who, I mean, which OS.
  2. Who all was vulnerable to the Adobe Flash flaw?
  3. Is the Adobe Flash flaw Adobe's fault, the fault of the operating system? (Sun's fault?)

Well, I thought it would make sense to go straight to the source of the Adobe Flash exploit to get some first-hand accounts of what went down, so I interviewed Shane Macaulay (aka k2, pictured on the right in the image taken from the ZDI website) and Alexander Sotirov (pictured on the left in the image taken from the ZDI website). It was a great interview, which I present below:

Nate: The flaw you discovered was in Adobe Flash, was this truly a cross-platform attack?

Shane: Yeah, there's a stack issue, where a type is accepting 3 parameters when it is defined to accept 2, possibly some polymorphism/name mangling bug, but either way, this object get's called through the 3rd invalid/uninitialized memory that winds up jumping wherever we had pre-filled memory to.

Nate: So then, do you have exploit code for all three of the operating systems, or are you certain that you could've written exploit code given enough time?

Shane: Could have been done with enough time, I haven’t used gdb in years, that's the main hurdle right now. My professional career has been on the Microsoft platform so I've not had the time to work with *nix much.

Nate: Why choose Vista over *Nix or the Mac?

Shane: Oh I guess I just answered that one. Not to mention once the flaw was used once, we couldn't use it again to pwn the other machines.

Nate: So, the InfoWorld article mentions that you brought Alexander into the mix for some additional Ninjitsu and that the use of Java was involved... can you confirm my assumption that you used a Java applet to bypass the DEP restrictions (since JVM doesn't play nice with DEP) and that this is a buffer overflow type issue within Flash?

Shane: I'll defer to the esteemed Mr. Sotirov

Alex: The target machine had a non-executable heap in the Internet Explorer process, which prevented Shane from using JavaScript heap spraying to execute shellcode on the heap. I had done some research on bypassing DEP and I had an exploitation technique that we could use in this exploit. We utilized a Java applet to allocate executable memory and fill it with shellcode. I’d like to point out that this is not a vulnerability in Java, but simply a way to use Java applets to make the exploitation of other vulnerabilities easier. I have a few other techniques for bypassing DEP, so the Flash vulnerability could have been exploited without Java as well.

Nate: Considering Sotirov is well known for his "Javascript Heap Fung Shui" did that come into play here? Did you use Java or JavaScript to prepare the heap for this exploit to work?

Shane: I guess we shouldn't answer a question phrased like that. We did not need the Fung Shui, but both Java and JavaScript were used. There is some chance that ActionScript could've been used, but that would have tweaked the target.

Alex: The Heap Feng Shui technique was not needed for exploiting this vulnerability, but Charlie Miller used an OSX port of my Heap Feng Shui library to pwn the MacBook Air on day two. I think it’s pretty cool to have my code involved in winning both laptops this year.

Nate: Yeah, that is bad ass. I’ve actually used your Heap Feng Shui attacks in my own research, but I was unaware that there was a port to Mac… that’s very interesting and likely makes my job a bit easier going forward! Any more details you can give on where the exploit occurred within flash?

Shane: I think we have to plead the fifth, until the bulletin is issued, save details in question 1.

Nate: What are you going to do with the money and laptop?

Shane: B0000m Ebay!! If the laptop was even 1/4 as good as the MacBook I got last year I would of kept it, but as it turns out, I had to add in a +1GB of ram for the offer on eBay to make sure it's a solid box for whoever gets itAlex: I’m doing this for the chicks, not the money.

Nate: HAHAHAAHA! So, Shane, after two years of being on the successful winning team, how long do you think you can keep the streak going? Will you be attempting a three-peat?

Shane: I've been considering the trifecta, I've got an IE 0day in the hopper now (see my previous best bug ever in IE, http://systemofsystems.wordpress.com/2008/02/12/dime%e2%80%99s/), I'll blow the dust off some exploit for use in the contest for sure.

Nate: What's up next for you guys? Any cool research you're currently looking into?

Shane: Myself, largely a product, a binary application attack system. Some features include:

  • Very high test speed (usually in the tens of thousands/sec on a single core)
  • Identified issues are categorized based on there type, read/write/exec/...
  • Code/data trace model and reverse execution

    • Helps pinpoint original flaw location

  • Optimized set generation code for inputs
  • Generates test cases for fixes

    • Not just error messages

Basically, it's a solid dynamic analysis engine with advanced data analysis for binary steering, data flow comprehension and attack capabilities. No sources required.

Alex: I have some research on bypassing DEP and ASLR that I plan to present at a future conference, as well as some social networking exploitation work. Stay tuned!

Nate: Very interesting indeed!

So, for those who have been reading up on the previous articles, there's some info for you straight from the researchers themselves. Thanks a lot Shane and Alex for taking the time! To the readers, if you have follow-up questions that you want asked, you can submit them to me via talkback and I'll do the best I can to get some answers from these guys, although keep in mind they are under NDA.

-Nate

Topics: Software Development, Enterprise Software, Microsoft, Open Source, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

59 comments
Log in or register to join the discussion
  • So NO, we did not duplicate it on any other platform.

    What Nate states is this is a compiler issue with a polymorphism/name mangling bug. Therefore, it is not a
    Adobe coding issue. So my questions still remain:
    1) Have you duplicated this on another platform?
    No.
    2) What compiler did Adobe use to compile Flash?
    Bet it was Visual C++ by MS.

    Nate: The flaw you discovered was in Adobe Flash, was this
    truly a cross-platform attack?Shane: Yeah, there?s a stack
    issue, where a type is accepting 3 parameters when it is
    defined to accept 2, possibly some polymorphism/name
    mangling bug, but either way, this object get?s called
    through the 3rd invalid/uninitialized memory that winds
    up jumping wherever we had pre-filled memory to.
    LittleGuy
    • Argh...

      It's not a compiler issue. It's an issue in the code.

      Second, he says that the exploit would've worked on the other platforms as well, he just didn't code the exploit code.

      What you are saying is that it's not an issue if you are vulnerable. The other systems absolutely could've been owned, it's just a matter of time, but you are saying because they weren't owned at the conference it's not an issue. That doesn't add up.

      -Nate
      nmcfeters
      • You are showing your ignorance, name mangling

        is a compiler issue and has nothing to do with source code
        written by humans. Name mangling occurs when the source
        code is turned into assembly by the compiler.
        And my point is you have proved nothing about other
        platforms until you prove it. You have not.
        LittleGuy
        • Details

          Look we don't have enough details. If this was a compiler issue, it would be across Flash and all of the applications that were compiled with that compiler.

          I don't think that's what we are talking about here.

          I think until the details come out we are going to have to leave it alone, but you are asking me to prove something about the other platforms and I didn't write the exploit. I owe you no proof.

          The developers of the exploit claim it's cross-platform. If that's not good enough for you, prove it to yourself. If you require exploit code to prove it works, then why aren't you also saying this isn't an issue on Vista? We've not seen the exploit code.

          You're showing your bias.

          -Nate
          nmcfeters
          • Not enough proof, we agree.

            Compiler problem does not mean it will effect all applications
            compiled with that compiler.
            LittleGuy
          • Agreed

            Ok, yep, I'll buy that. We'll just have to wait and see on this one... it's been interesting debates though. Watch us all be way off :).

            -Nate
            nmcfeters
          • We will never know the truth, because

            no one will take it that far. To me this is the problem with
            todays OS's and tools. Way to complex, way to many
            variables involved and everybody blaming everyone else. It
            leaves little room for success for the little guy. It's always
            the little guys fault, but the little guy is at the mercy of the
            big boys. It use to be I could run a debugger and prove to
            the big boys that they had a problem. Today you can't do
            that, API's must be hidden. Why? So we can't prove it the big
            boys problem!
            LittleGuy
  • RE: Interview with the Vista Pwn2Own contest winners

    This article is going to tick off a lot of ABM'ers because Microsoft was never at fault which we all knew to begin with. Excellent article and interview Nate.
    Loverock Davidson
    • Right on!

      Good man, I'm glad someone's getting the point!!!

      -Nate
      nmcfeters
      • That is the problem

        Many actually [i]do[/i] get the point, while many others refuse to accept it (or to borrow a quote:)

        [i]"I reject your reality and substitute my own"[/i]
        GuidingLight
        • Yeah

          Refusing to accept the reality that is factual is insanity.

          -Nate
          nmcfeters
    • Excuses, Excuses LoserBoy

      The fault was in Flash yes, but Vista still allowed them in.

      Try again.
      itanalyst2@...
      • Correction

        The fault was in Flash, but all three OS's would've let them in. I'm going to have to stop arguing this issue cause it's just taking too much of my time to convince people that the app and the OS are not so separate as you think.

        OS's (and I mean all of the OS's) have done a ton to try to mitigate these types of issues, but they CAN'T prevent these types of issues with current technology.

        -Nate
        nmcfeters
        • So you are settling into ZDnet Talkbacks now

          At which point I think the picture for "Arguing over the Internet is like..."

          I would say more, but I don't want to offend the vast majority of those who participate in in the Talkbacks.
          nucrash
          • Yep

            Yeah, I've been truly shocked by the thought that a flaw in Flash is the fault of Vista. For those who actually realize that the fault was cross-platform, I've been surprised that they seem to still believe this is the fault of whichever OS is getting attacked.

            If I didn't know that I was right, I might cave into all of the responses contrary to my opinion. :)

            -Nate
            nmcfeters
          • Religion is a Terrible Thought Process

            I always assumed that we would find our gods where there is no reasonable explanation. The flaw in logic occurs when we replace a reasonable explanation with our gods.

            People think that just because a there is a chink in the armor that the same production flaw doesn't exist in their own armor. They really want to believe that the problem exists with the opposition and not with themselves.

            I say let them, hopefully Darwin's theories will deal with the rest.
            nucrash
          • RE: Religion...

            Very nice, hilarious and true.

            -Nate
            nmcfeters
          • re: yep

            [b]For those who actually realize that the fault was cross-platform, I've been surprised that they seem to still believe this is the fault of whichever OS is getting attacked.[b]

            They know it was cross platform, but they're required by troll law to try and make it an MS issue. Even if it'd been the Ubuntu box that fell in the contest to a flash issue, you'd be fielding talkbacks about how MS somehow force Adobe to code an insecurity.

            [b]If I didn't know that I was right, I might cave into all of the responses contrary to my opinion.[/b]

            That's the plan, deflect and deny until everyone that's right gives up.
            rtk
          • Got Root?

            "For those who actually realize that the fault was cross-platform, I've been surprised that they seem to still believe this is the fault of whichever OS is getting attacked."



            Meanwhile some of us still await proof of Linux being 'just as vulnerable'. Namely actual proof that this attack can be used to gain root access.
            Sysadm1n
          • well, first.

            they'd have to gain root to the vista machine, no?

            Better go back and read up on what actually went down.
            rtk